- Just installed iOS 18.4? Changing these 3 features made my iPhone much better to use
- 7 strategic insights business and IT leaders need for AI transformation in 2025
- The most underrated robot vacuum I've ever tested is now 60% off
- This video doorbell gave me similar benefits as a Ring but with no monthly subscriptions
- ChatGPT's GPT-4 model retires soon - some users can continue to access it
Linux version of REvil ransomware targets ESXi VM
The REvil ransomware operators added a Linux encryptor to their arsenal to encrypt Vmware ESXi virtual machines.
The REvil ransomware operators are now using a Linux encryptor to encrypts Vmware ESXi virtual machines which are widely adopted by enterprises.
The availability of the Linux encryptor was announced by the REvil gang in May, a circumstance that suggests the group is expanding its operation.
Now MalwareHunterTeam researchers spotted a Linux version of the REvil ransomware that also targets ESXi servers, BleepingComputer reported.
REvil ransomware Linux version…
👀
Config base:
{“pk”:”[…]”,”pid”:”[…]”,”sub”:”[…]”,”dbg”:false,”et”:0,”nbody”:”[…]”,”nname”:”{EXT}-readme.txt”,”rdmcnt”:0,”ext”:”.[…]”}
“Using silent mode, if you on esxi – stop VMs manualy”@demonslay335 @VK_Intel pic.twitter.com/K08zJuI5Z8— MalwareHunterTeam (@malwrhunterteam) June 28, 2021
The popular malware researcher Vitali Kremez explained that the new variant is an ELF64 executable with the same configuration options as the Windows version.
“Kremez states that this is the first known time the Linux variant has been publicly available since it was released.” states BleepingComputer.
2021-06-28:🔥🔒#REvil #Ransomware Goes Elf Hunting for VMware ESXi VM | Linux 64-Bit Flavor
1⃣Leverages “esxcli” CLI component to kill VMs via world id
2⃣affiliate “sub”:”7864″ | usual struct
3⃣GCC: (Ubuntu 4.8.4-2ubuntu1~14.04.4) 4.8.4
*requires admin /vmfsht @malwrhunterteam pic.twitter.com/guhYzXkeBL
— Vitali Kremez (@VK_Intel) June 28, 2021
Upon executing on ESXi servers, the Linux version of the ransomware will run the esxcli command line tool to list all running ESXi virtual machines and close the virtual machine disk (VMDK) files stored in the /vmfs/ folder. Then the REvil ransomware will encrypt the files.
esxcli –formatter=csv –format-param=fields==”WorldID,DisplayName” vm process list | awk -F “”*,”*” ‘{system(“esxcli vm process kill –type=force –world-id=” $1)}’
Indicators of Compromise (IoC) for REvil Linux encryptor have been published by security expert Jaime Blasco on Alienvault’s Open Threat Exchange.
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine
